An improved finegrained ciphertext policy based temporary keyword search on encrypted data for secure cloud storage

We present a temporary keyword search over sensitive and confidential health data in a cloud environment. The cloud constitutes a semi-trusted domain, making it necessary for data owners to secure their data before outsourcing it through techniques like encryption. Attribute-based keyword search techniques tend to perform a search operation using a search token generated by an authorized user. These search tokens can lead to serious privacy threats, as they can extract all ciphertexts that may have been generated along with their keyword. Therefore, restricting search tokens to extract ciphertexts generated within a time interval is a more promising solution. In this paper, we present a novel ciphertext policy fine-grained temporary keyword that prevents the misuse of these search tokens. Further, it mitigates the risk of insider threats within healthcare organizations by limiting the window of opportunity for unauthorized access to minimum. To assess the security, our proposed scheme is formally proven to be secure against Selectively Chosen Keyword Attacks in the generic bilinear group model. Additionally, we demonstrate that the encryption algorithm’s complexity is linear in relation to the number of attributes. Our scheme’s significance and practicality are revealed by the performance evaluation.


Our contribution
Following are our key contributions: 1.In this paper, we propose a Ciphertext-Policy variant of temporary keyword search scheme.The association of access policy with ciphertext is considered better for secure cloud storage as it enables precise control over who can access specific pieces of data based on their attributes.Here, one can define complex access policies based on multiple attributes.It facilitates secure data sharing in shared cloud storage environments as users with different attribute sets can be given access to the same encrypted data.The key policy variant is much more suitable for the broadcast scenario because it allows for centralized control over access policies.The broadcast entity can define access policies that users must meet to access the broadcast content.Miao et al. 1 also proposed a CP variant recently but in their scheme has higher complexity in terms of reassignment of the secret credentials over and over again with time.2. The proposed CP-FG-TKS scheme is secure against search token modification and keyword ciphertext modification attacks.This is achieved by making the hash value of the time component a random element and is tied to the rest of the elements.Unlike 2 , it is not a unique element, which was the primary reason for these attacks in 2 .3. We have implemented and compared the performance of the proposed scheme with existing temporary keyword search schemes, and found them computationally equivalent.

Organization
The rest of the paper is organized as follows.Section "Related work" presents the related work and provides a summary of key features in existing similar schemes built for temporal access.In Section "System preliminaries", related cryptographic assumptions and notions are reviewed, and the proposed CP-FG-TKS scheme is presented formally.Section "Technical overview of CP-FG-TKS" presents our proposed construction.In Section "Construction of CP-FG-TKG", the security and performance of the proposed scheme are discussed in detail.Finally, in Section "Security and performance analysis" paper is concluded.

Related work
Searchable encryption is a cryptographic primitive that is useful for designing secure cloud storage.There are two variants of searchable encryption: symmetric searchable encryption (SSE) and Public-key encryption with keyword search.Song et al. 3 came up with the primary scheme of symmetric searchable encryption.The symmetric variants use the same key for encryption as well as for generating search tokens.This ensures that the user who stores searchable ciphertext is eligible for generating the valid search token as well.Boneh et al. 4 , presented a public key encryption technique (PKES) facilitating keyword-based search over encrypted data.A data owner with the knowledge of the public key respective to the intended data can generate a searchable ciphertext using his/her own public key and deploy it over the cloud.The search token respective to the random keyword is extracted using the data user's secret key and passed over to the cloud.The service provider uses this search token received for searching to generate the relevant result.Searchable encryption schemes developed using public-key settings do not offer fine-grained searching capabilities.To enable fine-grained search control capabilities, attribute-based encryption [5][6][7] is used as an underlying technique for developing searchable encryption schemes.The first attribute-based keyword search (ABKS) scheme was presented by Zheng et al. 8 .Their scheme allows data owners to be the master and control the data user's access to perform searches over his outsourced data.They used an attribute-based encryption scheme, that provides a multiple sender-receiver model for constructing a searchable cryptographic primitive.Each authenticated data user provides a to-do search list to the cloud which is required to be performed without any data owner interaction.Consequently, Sun et al. 9 proposed another attribute-based keyword search scheme with a focus on efficient user revocation.In these schemes, the key fact of reducing the computational burden is not taken into account, which is essential for deploying these schemes in a resource-constrained environment.To address this issue, Li et al. 10 proposed an attribute-based encryption with keyword search where the key generation and decryption tasks were outsourced to reduce the computational burden.Subsequently, several other schemes were proposed in the literature which aim to reduce the computational complexity 11,12 .
Another important fact that is often ignored while developing these fine-grained searchable encryption schemes is that of user privacy.In most of these schemes, attributes and the access policy are generally sent in plaintext along with the search token and ciphertext, which can result in the leakage of sensitive information.To address this Zhang et al. 13 and Liu et al. 14 proposed anonymous ABKS schemes.ABKS schemes do not facilitate the data owners to gain any information regarding the keywords a data user is willing to look for.
There is one more aspect that needs attention while developing ABKS schemes, and that is related to the privacy of search tokens.In all ABKS schemes discussed so far, if the cloud gets a valid search token concerning a keyword, the cloud can dig into its past presence and future ciphertext.Suppose an intruder gets any information about the keyword related to the target search.In that case, he/she can acquire some sensitive information regarding the next document to be outsourced over the cloud.This issue can be resolved by limiting the period of the search token's life.Ameri et al. 2 explored the idea and proposed a temporary keyword search scheme that limits the token validation time to a small time.They proposed a key-policy temporary keyword search; however, it suffers from ciphertext modification and search token modification attacks which were then resolved in a work by Zhang et al. 15 However, in order to provide better and more precise control of data owners in a shared cloud storage environment, the ciphertext-policy variant could be more helpful.To address this Miao et al. 1 proposed a ciphertext-policy variant of temporary keyword search.But in this scheme, the temporal component was embedded in the secret key of the user, which makes it invalid after the specified time, and it leads to increased complexity in terms of reassignment of the secret credentials to the users.It is only the search token that should become invalid after the specified time to limit unauthorized access.This issue is addressed in the proposed scheme where the temporal component is embedded in the search token.Further, in terms of complexity, the proposed scheme is better than [1] the details of which are given in the performance analysis part of Section "Construction of CP-FG-TKG".Apart from these, Liu et al. 16 and Tong et al. 17 recently proposed time-controlled keyword search schemes.Liu et al. scheme 16 does not provide fine-grained capabilities, and the key focus was to provide security against KGA.In the scheme by Tong et al. 17 , the time component is embedded as an extra attribute in the attribute set and the access policy.It is useful in the scenario where the user has privileged time like 7 PM to 9 PM, it is embedded as an attribute into the attributes set and the user is assigned a secret key corresponding to this attribute set.Similarly, data owners also embed a time component into the access structure, for example, 4 PM to 10 PM, for generating the ciphertext.If the current time is 8 PM, then the user will be able to access it provided the other attributes possessed by the user satisfy the access policy.This scheme also has rigidity in terms of the access time specified in the attribute set, and if we need to change it, then the secret key must be reassigned like in 1 .To develop a flexible scheme, it is the search token that should contain the time component rather than hard-wiring the time component in the secret key.Table 1 summarizes the key features of the related schemes in the literature.

System preliminaries
This section discusses the preliminary information required to understand the construction of the proposed scheme.

Bilinear map
In pairing-based cryptography, a bilinear map e is defined as Eq.(1).
where, G, G T are cyclic groups of prime order, p.
In simple terms, a bilinear map takes two elements, one from each of the groups, G, and maps them to an element in G T .The bilinear map e satisfies specific properties: 1. Bilinearity: The most important property of a bilinear map is its bilinearity, which means that it behaves linearly concerning both of its arguments.Specifically, ∀ P, Q ∈ G , and a, b ∈ Z p , bilinearity ensures: e(P a , Q b ) = e(P, Q) ab 2. Non-degeneracy: A bilinear map is non-degenerate if it ensures that e(P, Q) is not equal to the group's identity element for any non-zero P and Q. 3. Efficiency: Pairing-based cryptography often relies on the efficiency of bilinear map computations.Efficient algorithms exist to compute pairings in polynomial time, making them practical for cryptographic applications.

Generic bilinear group
In the generic bilinear group model, adversary is provided with the random encodings of a group.Let θ 1 and θ 2 are two random encoding of Z p , such that θ 1 , θ 2 are one-to-one map from Z * p to {0, 1} n , where n ≥ 3log(p) .The group G is represented as {θ 1 (x) | x ∈ Z p } and G T is represented as {θ 2 (x) | x ∈ Z p } .The random oracle computes e, and G is called a generic bilinear group.The generator, g of G is represented as θ 1 (1), g x = θ 1 (x) .Similarly, the generator, e(g, g), of the target group, G T is represented as θ 2 (1) and any element of the form e(g, g) x is represented as θ 2 (x).

Access policy
To manage the access control policy ρ , we will utilize a tree-like structure based on attributes.In an access tree structure, T ρ , leaf nodes often represent attributes, and a non-leaf node represents a threshold gate.A thresh- old gate specifies a condition that combines multiple attributes, and access is granted only if the condition is met.The value of the threshold (t n ) of a node n is determined by the number of children num n of that node, 1 ≤ t n ≤ (num) n .If t n = 1 , it represents OR gate and if t n = (num) n , it represents an AND gate.For each of the leaf nodes threshold value is 1.Let leaf(T ρ ) denotes leaves of T ρ , par(n) denotes the parent of node n, ind(n) denotes the index of node n, and attr(l) denotes attribute associated with a leaf node, l.Let there be a function, F which takes the attribute set and the access structure as input.If the attribute set, Attr, satisfies T ρ then the function outputs 1, i.e., F(Attr, T ρ ) = 1.

Secret sharing using Shamir's scheme
Shamir's Secret Sharing Scheme, developed by Adi Shamir in 1979 18 , is a cryptographic method for splitting a secret into multiple shares or parts, distributing them among a group of participants, and allowing the original secret to be reconstructed only when a sufficient number of shares are combined.This scheme is used to ensure data confidentiality and security in scenarios where sensitive information needs to be distributed securely among multiple parties.Given T ρ , the procedure for distributing the secret s according to T ρ using Shamir's secret shar- ing is as follows: 1. Key generation: A trusted entity (often called the "dealer") generates a secret, denoted as s, that needs to be protected.This secret can be a cryptographic key, password, or any sensitive information.

Polynomial generation:
The dealer then generates a random polynomial of degree (t n − 1) for each node, n, in a top-down manner.The polynomial is defined as Eq. ( 2): The coefficients a 0 , a 1 , . . ., a t n−1 are randomly chosen, with a 0 representing the constant term and a t n−1 representing the highest-degree term.

Share creation and distribution:
The dealer calculates different shares by evaluating the polynomial P n (x) at distinct points as in Eq. ( 3). (2) • Otherwise, set P n (0) = P par(n) (ind(n)) and randomly t n−1 coefficients are chosen for polynomial,P n (x).
When the algorithm terminates, each leaf node has a secret share, P n (0) , of secret s at node n. 4. Reconstruction: To reconstruct the original secret, these leaf nodes combine their secret share to recover/ interpolate the polynomial P n (x) .Given a set of values, {V l 1 , V l 2 , . . ., V l m } , where l 1 , l 2 , . . ., l m are the leaves of T ρ , and F(attr(l 1 ), attr(l 2 ), . . .attr(l m ), T ρ ) = 1 , V ( l i ) = e(g, g) P l i (0) , 1 ≤ i ≤ m, P l i (0) are secret shares of s.These secret shares can be combined to recover the original secret as Eq. ( 4): 5. Interpolation and secret recovery: Lagrange interpolation method are used to compute the coefficients of P n (x) , which includes the constant term a 0 , representing the secret s.If F({attr(l 1 ), attr(l 2 ), . . .attr(l m )}, T ρ ) = 1 , then following steps are used to recover the secret: , where n = l i for some i.
• If n is an inner node having num n number of children nodes {u 1 , u 2 , . . ., u num n } , then there exists a set of i nd i c e s I su ch t hat | I |= t n , j ∈ IandF {attr(l 1 ), attr(l 2 ), . . .attr(l m )}, T u j = 1 .S e t V n = π (j∈I) e(g, g) (P u j (0) u j = e(g, g) P n (0) , where u j = π q∈I,q� =j −j q−j When the combine algorithm terminates, the root of T row is associated with V root = e(g, g) P root (0) = e(g, g) s .

Technical overview of CP-FG-TKS
In this section, we provide the formal definition of the CP-FG-TKS scheme along with its architecture and security definition.

System definition
The CP-FG-TKS scheme comprises the subsequent polynomial time algorithms as explained below: The cloud-based healthcare server runs this algorithm to search for the ciphertext containing the keyword w ′ using the search token STK.Before performing the search operation, the cloud server checks, if the AS possessed by the user satisfies the access tree.If AS T , it returns ⊥ ; otherwise if tym ∈ TI ∧ w = w ′ , then it returns 1 along with the reference to the encrypted file else, it returns 0.
• Correctness: The proposed CT-FG-TKS scheme is correct if the following condition holds:

System architecture
The system model for the proposed CP-FG-TKS typically involves various entities, processes, and interactions as shown in Figure 1.

Entities
• Data owner: This entity owns or generates sensitive medical data.It could be a healthcare provider, a hospi- tal, or an individual patient.The data owner is responsible for encrypting and managing access to the data.Data owner uploads and manages data in the cloud storage system.Data owners define access policies and keywords for their data. (4) • Data user: Data user is an entity that needs to search for specific medical information within the encrypted dataset.This entity could be a healthcare professional, a researcher, or any authorized user requiring access to specific information while respecting privacy constraints.• Trusted third party (TTP): It manages the overall system, including user credentials, attributes, and system configuration.In healthcare, attributes could include patient identifiers, medical conditions, or other relevant information • Cloud server (CS): CS is responsible for storing the encrypted medical data uploaded by data owners.When authorized data recipients request access to specific encrypted data, the cloud server retrieves the encrypted data by performing keyword-based search operations on the encrypted data.Further, the cloud server enforces access control policies when a data recipient requests access to encrypted data.It checks whether the user's attributes meet the access policy criteria defined by the data owner.

Processes and interactions
• User registration and authentication: Cloud users based on their attributes get the secret credentials from TTP.
• Access policy definition and encryption: Data owners define fine-grained access policies, specifying attrib- utes, roles, or conditions that grant access to specific data.• Keyword search request: Data users initiate keyword search requests by generating the search trapdoor for the keywords they want to search for.• Fine-grained keyword search: The cloud server first evaluates access control policies to determine if the requesting user has the necessary attributes or meets the specified conditions to access the data.Furthermore, it checks temporary access control, ensuring that access rights expire after a predefined time period.Finally, after verifying all the necessary checks stated above, The cloud server conducts a search based on keywords within the encrypted data and yields encrypted search results to the user.

Threat model
In the proposed scheme, the trusted third party and the data owner are assumed to be fully trusted, while the cloud server is assumed to be honest but curious, which means the cloud server will execute the search algorithm correctly, but it will try to get the background information as much as possible.The data users may be malicious, and the malicious users may collude with others to get sensitive information in an unauthorized manner.However, they cannot reveal their secret keys.Following are the potential threats that can be caused by malicious data users and the curious cloud server: • Attribute privacy leakage: The attributes involved in the access policy and the attributes possessed by the users are sent in plaintext with the ciphertext and the search token respectively.The attributes contain sensitive information which can be accessed by the cloud server.www.nature.com/scientificreports/ • Secret key collusion: The malicious users can collude together and try to get the secret key corresponding to the attribute set possessed by multiple malicious users, which can result in unauthorized access.• Keyword guessing attack: The public key-based searchable encryption schemes suffer from the keyword guess- ing attack unless explicitly handled.Because the keywords are chosen from a polynomial-size universe and the adversary (cloud server/malicious user) can guess the keyword and obtain the resulting ciphertext for the keyword from the encryption oracle and compare it with the trapdoor it received from authorized users to check if there is match and thereby retrieve the keyword information.

Design goal
The proposed scheme ensures the following design goals: Data Privacy: The proposed scheme guarantees data security by preventing the cloud server and malicious users from obtaining any sensitive information.The data files and the associated keywords are encrypted before outsourcing to the cloud server to ensure data confidentiality.
• Search token unlinkability: The proposed scheme guarantees that the cloud server cannot distinguish if the two search tokens belong to the same keyword.This is ensured by generating the search token in an indeterministic way by choosing a new random number every time this algorithm is called for generating the search token.

• Security against chosen keyword attack (CKA):
The adversary cannot distinguish between the encryption of two keywords of its choice even if it has search tokens for all the keywords except the keywords chosen by her.The security against CKA is ensured in the generic bilinear group model and a comprehensive proof is given in the security analysis section.• Search token modification: To provide additional security to search tokens, the temporal component is embed- ded by computing the one-way hash of the time interval for which the trapdoor is valid, which always generates a new random number and thereby prevents the modification of the search token by some malicious entity.

Security definition and framework
The security of the proposed CP-FG-TKS is analyzed in the generic group model against the Selectively Chosen Keyword Attack (sCKA).The adversary must not be able to differentiate between the encryption of two challenge keywords of their choice under this attack, even if they receive the search token of any keyword except the challenge keywords.Here, the term selective means that the adversary specifies the access structure he wishes to attack before the security game begins.The security of a cryptosystem is often analyzed using a "security game" framework, which helps to evaluate the system's resilience against various threats and attacks.Security games provide a structured way of evaluating the security of cryptographic systems.The game is used to define security goals and assumptions and to evaluate whether the system meets these goals.A simplified overview of the security game for CP-FG-TKS is given below: A simplified overview of the security game for CP-FG-TKS Players in the Security Game: Challenger (C, Attacker A) *Challenger represents the entity responsible for designing and testing the CP-FG-TKS system, whereas Attacker represents an adversary trying to compromise the security and privacy of the system.
Game Steps: Init Phase: A selects the access structure, τ * , and time period tym * on which it wishes to be challenged and give it to C.
Setup Phase: The Challenger ( C ) defines the security parameters of the CP-FG-TKS system, including cryp- tographic algorithms and access control policies.Further, C generates cryptographic keys and distributes them to users and system components as needed.
Phase 1: A queries for secret key provided AS T .Further, A can query for search token for any keyword and C maintains a list for all the queried keywords.
Attacker's Challenge: A attempts to compromise the security of the CP-FG-TKS system within the defined security parameters.A chooses challenge keywords w 0 , w 1 for which A has not queries in Phase 1. C then ran- domly selects a bit b and generates the challenge ciphertext corresponding to the selected bit value, which is then given to A.
Phase 2: A can ask queries in the same way as in Phase 1, but cannot inquire aboutw 0 orw 1 .Guess: A wins the game if b = b ′ , given the output of A as b ′ , which also consists following benefit:

Construction of CP-FG-TKG
A detailed explanation of the construction of CP-FG-TKS is as follows: SystemInit(τ , Attr, W): Let the bilinear mapping function be defined as e:G × G− > G T ; G and G T denote the source and target cyclic groups of prime order p.Let g denote the generator of G.
T TP selects x, y, z < −Z p randomly and compute g x , g y , g z .Output public parameters Parm=(p, G, G T , g, e, Attr, W, H 1 , H 2 , g x , g y , g z ) , and master secret key MK = (x, y, z).
Vol:.( 1234567890 www.nature.com/scientificreports/SKEYG(Parm, MK, AS): TTP randomly selects r < −Z p and r j < −Z p for each attr j ∈ AS , and computes S 1 = g xz−r y , S j,1 = g r H 1 (attr j ) r j , S j,2 = g r j .Outputs secret key, SK = (AS, S 1 , {S j,1 , S j,2 : ∀attr j ∈ AS}).INDG(Parm, tym, τ, w): Data owner encrypts keyword, w, under time period tym ∈: 0, 1 * and access structure, τ .For this data owner randomly selects r 1 , r 2 < −Z p , and computes, CW 0 = g x(r 1 +r 2 ) g yH 2 (w)r 1 , CW 1 = g zr 1 , CW 2 = g yr 2 , CW tym = H 1 (tym) r 2 .Further, the data owner computes secret shares of r 2 as follows: • In a top-down fashion, beginning from the root node r of τ , the data owner defines a random polynomial, P n (x) for each node,n in τ • ∀n , set the degree, d n of P n ((x)) to be one less than the threshold value, t n of that node.
• For root node r, set P r (0) = r 2 and rest of the t r − 1 points are chosen randomly to define P r .
• ∀j ∈ T r , where j is the non-leaf node.Set P j (0) = P par(j) (ind(j)) and other t j − 1 are randomly chosen.This step is repeated until the leaf nodes are reached.
Let L represent the group of terminal nodes in τ where each node, denoted as l, is linked to an attribute, attr j ∈ Attr.Data owner now computes the ciphertext component for each leaf node, l ∈ Las : CW l,3 = g P l (0) , CW l,4 = H 1 (attr j ) P l (0) .Finally, the data owner outputs ciphertext corresponding to keyword, w as: CW = (τ , tym, CW 0 , CW 1 , CW 2 , CW l,3 , CW l,4 , CW tym ).TOKG(Parm, SK, TI, w ′ ): Data user generates search token for w ′ by using SK of the data user and time interval TI = {t i } 1≤i≤m where t i ∈ 0, 1 * .Data user randomly selects, s < −Z p , and computes, ) s , TK 2 = (g x g yH 2 (w ′ ) ) s , TK 3 = g zs , TK j,1 = g y S s j,1 , TK j,2 = S s j,2 .Now for each {t i ∈ TI} 1≤i≤m , data user randomly selects r i < −Z p , and computes TK i,1 = g zs H 1 (t i ) r i , TK i,2 = g yr i .

Search(Parm, CW, STK):
The algorithm is executed by the cloud server only in cases where AS T ; If not, it terminates and returns ⊥ .Afterward, the cloud server computes: For each non-leaf node, v in τ , execute the following step recursively in a bottom-up manner: for each child, u j of v, create a set V of size t v that includes children of v, where V u j = ⊥ and compute V v as given below: Where, △ ( u j ) = � linV ,l� =j −j l−j is the Lagrange coefficient.This recursive process iterates until the root node, r, is reached: Cloud server computes, e(TK i,1 ,CW 2 ) e(TK i,2 ,CW tym ) = e(g, g) yzsr 2 The following condition holds if w = w ′ : If the condition above is met, the cloud server will return output as 1; otherwise, it will return 0.

Security and performance analysis
To establish the security of the CP-FG-TKS scheme against selective CKA in a generic bilinear group model, we will apply the subsequent definition: The CP-FG-TKS scheme provides security against sCKA in the generic bilinear group model, assuming H 2 functions as a one-way hash, and H 1 acts as a random oracle.
Proof: As per the security game given in Section "System architecture", the adversary's objective is to differentiate between CW 0 for the two challenge keywords' w 0 , w 1 , where w 0 , w 1 are of the same length, i.e.A must be able to differentiate g x(r 1 +r 2 ) .g yH 2 (w 0 )r 1 andg x(r 1 +r 2 ) .g yH 2 (w 1 )r 1 .The proposed scheme security against sCKA, when the probability of differentiating CW 0 for challenge keywords from a random element in G is negligible, i.e., Such that p 0 − p 1 is negligible, where η is randomly selected from Z p , and g η corresponds to some random ele- ment in G.
Init Phase: A selects the challenge access structure, τ * , and time period tym * which is sent to C. Setup Phase: C choose,x, y, z < −Z p randomly, and send Parm=(g x , g y , g z , e, p) to A. Phase 1: A can make H 1 queries to a random oracle.Further, A can query for a secret key for any user, and search token for any keyword.The challenger will respond to each query using the specified oracles as given below: O ( H 1 ) oracle: A set of entries L A TT = (attr j , H 1 (attr j )) and L TI = (t i , H 1 (t i )) is managed by C for all the H 1 queries asked by A .If attr j ∈ L ATT , C simply outputs g H 1 (att j ) from L ATT ; else C choose, a j < −Z p , add a j to L ATT and send, g a j to A .If t i ∈ L TI C .C simply outputs H 1 (t i ) , else C choose, t i < −Z p and t i to L TI and send, g t i to A.
O SKEYG and O TOKG oracle: A can query O SKEYG and O TOKG oracles polynomial times from C .For SK que- ries, C chooses, v < −Z p randomly, and computes, S 1 = g xz−v y , S 2 = g v , and ∀attr j ∈ AS, C chooses, v j < −Z p randomly and computes, S j,1 = g t g a j ,v j , S j,2 = g v j and outputs (AS, S 1 , S 2 , S j,1 , S j,1 } attr j ∈AS ) for C.
For STK queries, C utilizes O SKEYG output and responds to STK queries by choosing, s, r i < −Z p , and comput- ing TK 1 = (g z S 1 ) s , TK 2 = (g x g yH 2 (w) ) s , TK 3 = g zs , TK j,1 = g y S s j,1 , TK j,2 = S s j,2 , TK i,1 = g zs g t i r i , TK i,2 = g yr i .If τ * (AS) and tym * ∈ TI, C adds the keyword, w, to L STK list.
Challenge Phase: C takes {w 0 , w 1 } / ∈ L STK from A and outputs challenge ciphertext by selecting a random bit, b, as follows: C randomly selects two elements, r 1 , r 2 < −Z p , and gets secret shares of r 2 using τ * , given by P l (0), ∀l ∈ leaves(τ * ) .C generates the Ciphertext for the challenge as: Phase 2: It is similar to phase 1.
Guess Phase: A wins the game in case b ′ = b , when its estimated output is b ′ of b.
(14) Pr g x(r 1 +r 2 ) .g yH 2 (w 0 )r 1 − Pr g η = p 0 (15) Pr g x(r 1 +r 2 ) .g yH 2 (w 1 )r 1 − Pr g η = p 1 (16) CW 0 = g η g yH 2 (w b )r 1 , CW 1 = g zr 1 , CW 2 = g yr 1 , (17) CW tym = g t * r 2 , CW l,3 = g P l (0) , CW l,4 = g a j P l (0) Vol:.( 1234567890 www.nature.com/scientificreports/generated encodings of G and G T respectively.To be more precise, θ 1 and θ 2 are injective functions that map Z p to G and G T , and the likelihood of guessing an element in the image of θ 1 and θ 2 is negligible.Now, let us see the construction of e(g, g) δx(r 1 +r 2 ) for some δ ∈ Z p by A .Since the term r 1 comes in the form xr 1 , so to construct e(g, g) δx(r 1 +r 2 ) , δ should also contain z.Let δ = zδ ' for some δ ′ ∈ Z p .Now, A constructs e(g, g) δ ′ zx(r 1 +r 2 ) and needs δ ′ xzr 2 , and the term r 2 that comes with y in the form yr 2 in the challenge ciphertext.Now, A requires eliminating y using the random oracle outputs, yr 2 xz+ν y = xzr 2 + νr 2 .Furthermore, A needs to eliminate νr 2 since r 2 is shared on the leaves of τ * .To reconstruct νr 2 A requires the following terms to satisfy τ * corresponding to a j : ν + a j ν j , q x (0), a j P l (0) .A can only request secret key queries for attribute sets that do not satisfy τ * , which means attributes corresponding to ν j of ν + a j , ν j can't satisfy τ * .Hence, A 's creation of e(g, g) δx(r 1 +r 2 ) from g η has little advantage, proving that the proposed scheme is secure against selective chosen keyword attacks (sCKA).

Theoretical cost analysis
In this section, we compare the theoretical costs of storage and computation.We provide a comprehensive breakdown of the symbols used in the comparison, which can be found in Table 2.
Table 3 compares the storage costs of the fine-grained temporary keyword search schemes, including the proposed CP-FG-TKS scheme.The cost of storing the secret key, ciphertext, and search token of 1,2,15 and the proposed scheme varies linearly with the number of attributes and it is similar in all these schemes with a difference of only some constant factors.
Table 4 compares the computational expenses of the CP-FG-TKS scheme proposed with other fine-grained temporary keyword search schemes.As indicated in Table 4, the computational cost of generating the secret key, index, and search tokens of the proposed scheme is similar to that of related existing schemes.In all these schemes, the computational cost varies linearly with the number of attributes.
Based on our theoretical analysis of the storage and computational costs, we have concluded that the proposed scheme can be developed for temporary keyword searches with negligible additional costs.Further, it enables precise access control for shared cloud storage and save the TTP from the extra overhead of reassignment of secret credentials as the time component is not embedded in the secret key like in 1 .www.nature.com/scientificreports/

Performance analysis
A reproducible set of experiments has been conducted to evaluate the performance of the proposed framework over a system with Windows 10, Intel i3 processor, with 2.00 GHz frequency and RAM of 4 GB.The system has been implemented using Netbeans-8.1 and the JPBC library 19 .A bilinear map has been initiated by engaging paring of Type A over an elliptic curve i.e. y 2 = x 3 + x 2 on top of a Fq field where q = 3mod4 is a random prime.The employed pairing can be called symmetric in nature as both G 1 and G 2 represent the cluster of points belonging to E(Fq).The element size is fixed to 512 bits which is comparably more secure than the 1024 bits that have been employed in DLOG 20 .Furthermore, the order of clusters G and GT is represented by the prime, P is relatively fixed to 160 bits.Additionally, for stumble on the time taken by each method, the total count of attributes presents in the attribute pool, policy for accessing as well, and value of set has been increased from 10 to 50 where each step length is 10.The average duration of execution is presented in Figs. 2 through 5 as a function of the number of attributes.The results depicted in Figs. 2, 3, 4 and 5 demonstrate that the computational expense of all the temporary keyword search methods under investigation is directly proportional to the total number of attributes.This comparative evaluation can be validated through the theoretical asymptotic costs illustrated in Tables 3 and 4.
Figure 2 displays the mean duration for secret key generation, revealing a linear relation with the number of attributes, and it is observed that the proposed scheme has lesser complexity than 1 .Figure 3 depicts the computational cost required to produce an index, which again varies linearly with number of attributes utilized.For   www.nature.com/scientificreports/ the proposed approach, it is observed that the time complexity exceeds the work proposed in 2 and 15 however, it is again lesser than 1 .Figure 4 displays the mean execution time for generating the search token.The obtained outcomes demonstrate a linear correlation between the execution time and the number of attributes in the schemes under consideration.The proposed scheme and the scheme in 1 have comparable time complexity with a very small difference, however it is slightly higher than 2 and 15 .The average execution time for cloud server search operations is shown in Fig. 5.It is evident that the number of attributes has a linear correlation with the average execution time.Observing the results obtained, it can be concluded that the considered schemes have a comparable time complexity without any striking differences.Thus, all the schemes are equivalent in terms of computational complexity.However, the proposed scheme outperforms 1 in terms of reducing the computational burden on trusted authority by eliminating the need of secret credential reassignment with time.In comparison to 15 , the proposed scheme is a ciphertext-policy variant which is a better cryptographic primitive in the shared storage cloud environment as it enables data owner to enforce better control over his/her data.

Conclusion
In this paper, we present a secure scheme called ciphertext policy fine-grained temporary keyword search (CP-FG-TKS) for protecting cloud storage.These features make CP-FG-TKS essential for building a secure and advanced shared cloud storage environment.By utilizing the ciphertext-policy variant, precise access control can be achieved, empowering data owners to define intricate access policies.The proposed scheme achieves temporary keyword search by making the search token valid for search only for a certain period of time.Our scheme's resilience against selectively chosen keyword attacks in the general bilinear group model has been formally proven.Furthermore, we conducted a performance comparison between the proposed scheme and other temporary keyword search schemes.Our findings indicate that all schemes have linear complexity in relation to the number of attributes, and are therefore computationally equivalent.However, the proposed scheme reduces the extra overhead of secret key reassignment by including the temporal component in the search token and not in the secret key.In future we can focus on making the storage and computational cost invariable to the involved attributes.

( 1 )
e : G × G− > G T Attr,W)->[MK,Parm]: The trusted third party (TTP) which can healthcare management unit runs this algorithm by taking security parameter, ζ , universal set of attributes, Attr, and the keyword universe, W as input.It outputs the public parameters PPAR and master secret key MK.• SKEYG(Parm, MK, AS)− >SK: TTP runs this algorithm by taking PPAR, MK and the attribute set, AS possessed by the user, and outputs SK for that user.• INDG(Parm,tym,τ,w)− >CW: Data owner which can be the patients in healthcare domain runs this algo- rithm by taking PPAR, keyword w and access structure τ , time, tym, of encryption as input and, outputs ciphertext corresponding to keyword, CW. • TOKG(Parm, SK, TI,w')− >STK: Data user which can be doctors or hospital lab staff runs this algorithm by taking PPAR, SK, time interval, TI to generate search token for keyword w' , which will be valid for searching the ciphertext for the specified time interval.• Search(Parm, CW, STK)− > 0 1 :

|
G |, | G T |The length of an element in G and G T , respectively.|Z P |The length of an element in a group of integers prime order (p)E, E TThe exponent operation in G and G T , respectively.P, H 1 , H 2The bilinear pairing operation and the hash functions, respectively.N, SNumber of attributes concerning the access structure and the users, respectively.|T | Size of the time interval

Table 1 .
Comparison of key features of related fine-grained searchable schemes in the literature.

Table 2 .
Notation and their description.

Table 3 .
Comparative analysis of storage cost.

Table 4 .
Comparative analysis of computation cost.